ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
b7dfa2793f
TenantAtlas/tests/Feature/Filament/PolicyVersionAdminTenantParityTest.php
ahmido 1f3619bd16 feat: tenant-owned query canon and wrong-tenant guards (#180) 
## Summary
- introduce a shared tenant-owned query and record-resolution canon for first-slice Filament resources
- harden direct views, row actions, bulk actions, relation managers, and workspace-admin canonical viewers against wrong-tenant access
- add registry-backed rollout metadata, search posture handling, architectural guards, and focused Pest coverage for scope parity and 404/403 semantics

## Included
- Spec 150 package under `specs/150-tenant-owned-query-canon-and-wrong-tenant-guards/`
- shared support classes: `TenantOwnedModelFamilies`, `TenantOwnedQueryScope`, `TenantOwnedRecordResolver`
- shared Filament concern: `InteractsWithTenantOwnedRecords`
- resource/page/policy hardening across findings, policies, policy versions, backup schedules, backup sets, restore runs, inventory items, and Entra groups
- additional regression coverage for canonical tenant state, wrong-tenant record resolution, relation-manager congruence, and action-surface guardrails

## Validation
- `vendor/bin/sail artisan test --compact` passed
- full suite result: `2733 passed, 8 skipped`
- formatting applied with `vendor/bin/sail bin pint --dirty --format agent`

## Notes
- Livewire v4.0+ compliant via existing Filament v5 stack
- provider registration remains in `bootstrap/providers.php`
- globally searchable first-slice posture: Entra groups scoped; policies and policy versions explicitly disabled
- destructive actions continue to use confirmation and policy authorization
- no new Filament assets added; existing deployment flow remains unchanged, including `php artisan filament:assets` when registered assets are used

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #180
2026-03-18 08:33:13 +00:00

76 lines
3.1 KiB
PHP
Raw Blame History

<?php
declare(strict_types=1);
use App\Filament\Resources\PolicyVersionResource;
use App\Filament\Resources\PolicyVersionResource\Pages\ListPolicyVersions;
use App\Models\Policy;
use App\Models\PolicyVersion;
use App\Models\Tenant;
use App\Support\Workspaces\WorkspaceContext;
use Filament\Facades\Filament;
use Illuminate\Foundation\Testing\RefreshDatabase;
use Livewire\Livewire;
uses(RefreshDatabase::class);
it('scopes the admin policy-version list to the remembered canonical tenant', function (): void {
$tenantA = Tenant::factory()->create();
[$user, $tenantA] = createUserWithTenant(tenant: $tenantA, role: 'owner');
$tenantB = Tenant::factory()->create(['workspace_id' => (int) $tenantA->workspace_id]);
createUserWithTenant(tenant: $tenantB, user: $user, role: 'owner');
$policyA = Policy::factory()->for($tenantA)->create(['display_name' => 'Remembered policy']);
$policyB = Policy::factory()->for($tenantB)->create(['display_name' => 'Other policy']);
$versionA = PolicyVersion::factory()->for($tenantA)->for($policyA)->create(['version_number' => 10]);
$versionB = PolicyVersion::factory()->for($tenantB)->for($policyB)->create(['version_number' => 20]);
$this->actingAs($user);
Filament::setCurrentPanel('admin');
Filament::setTenant(null, true);
Filament::bootCurrentPanel();
session()->put(WorkspaceContext::SESSION_KEY, (int) $tenantA->workspace_id);
session()->put(WorkspaceContext::LAST_TENANT_IDS_SESSION_KEY, [
(string) $tenantA->workspace_id => (int) $tenantA->getKey(),
]);
Livewire::actingAs($user)->test(ListPolicyVersions::class)
->assertCanSeeTableRecords([$versionA])
->assertCanNotSeeTableRecords([$versionB]);
});
it('returns not found for admin policy-version detail outside the remembered canonical tenant', function (): void {
$tenantA = Tenant::factory()->create();
[$user, $tenantA] = createUserWithTenant(tenant: $tenantA, role: 'owner');
$tenantB = Tenant::factory()->create(['workspace_id' => (int) $tenantA->workspace_id]);
createUserWithTenant(tenant: $tenantB, user: $user, role: 'owner');
$policyA = Policy::factory()->for($tenantA)->create();
$policyB = Policy::factory()->for($tenantB)->create();
$versionA = PolicyVersion::factory()->for($tenantA)->for($policyA)->create();
$versionB = PolicyVersion::factory()->for($tenantB)->for($policyB)->create();
$this->actingAs($user);
Filament::setCurrentPanel('admin');
Filament::setTenant(null, true);
Filament::bootCurrentPanel();
$session = [
WorkspaceContext::SESSION_KEY => (int) $tenantA->workspace_id,
WorkspaceContext::LAST_TENANT_IDS_SESSION_KEY => [
(string) $tenantA->workspace_id => (int) $tenantA->getKey(),
],
];
$this->withSession($session)
->get(PolicyVersionResource::getUrl('view', ['record' => $versionA], panel: 'admin'))
->assertSuccessful();
$this->withSession($session)
->get(PolicyVersionResource::getUrl('view', ['record' => $versionB], panel: 'admin'))
->assertNotFound();
});
Reference in New Issue View Git Blame Copy Permalink